Google's Project Zero Team Finds an iOS Exploit Allowing Hackers to tap into conversations through iMessage & more
Yesterday as Apple sent out media notices of their September 10th event, Google's Project Zero team released news of a newly discovered iOS exploit.
The blog entry states that "Project Zero’s mission is to make 0-day hard. We often work with other companies to find and report security vulnerabilities, with the ultimate goal of advocating for structural security improvements in popular systems to help protect people everywhere.
Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week. You could learn more about this find, here.
Bloomberg's Cybersecurity writer Allison Ingersoll writing about this today noted that the discovered bug targets "a small number of websites. Simply visiting those pages could have left iPhone users susceptible to the breach and possibly affected thousands of users per week.
Visiting the unnamed sites allowed hackers to gain access to a plethora of information, including the ability to track movements via the phone’s GPS system, to obtaining passwords and being privy to sensitive conversations through iMessage and WhatsApp.
Earlier in August Apple’s top security engineer said the company would begin distributing special iPhones to researchers to help them discover flaws before malicious hackers do."
Patently Apple covered this in a report titled: "Microsoft and Apple Level up Star Hacker Bug Bounties." In the report we noted that Apple announced plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don't get. These phones, which will be available only to existing participants in Apple's invitation-only bug bounty program, will let them inspect system memory, for example."
Google’s Project Zero is an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for "zero day" vulnerabilities -- unintended design flaws that can be exploited by hackers to break into computer systems.
Bloomberg's report further noted that "Ian Beer, a Project Zero researcher said attackers exploited fourteen different software flaws, including seven which targeted Safari, the Apple product’s built-in web browser. Through developing five distinct entry points, the cybercriminals could access various features on the phone, including those usually off-limits to users. This meant hackers could quietly install malware onto the device without the owner knowing." For more, read the full Bloomberg report.
If you're interested in knowing more about Project Zero's Ian Beer, you could view the video below where beer talked about "A deep-dive into the many flavors of IPC available on OS X" back in 2015.
About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.